According to recent research, 58 data records are stolen every single second. And for every one that falls into the hands of hackers, businesses pay an average $141. That is why worldwide the average total cost of a data breach in 2017 reached $3.6 million.
Cyber attacks come in many forms, each designed to bypass security measures and deflect suspicions. The likelihood of an attack is incredibly high no matter how small a business is or what industry it operates in. Worse, as the above data indicates, any attack is going to be expensive and consequential.
It is essential for all enterprises to take cybersecurity seriously and to put extensive protections in place. Even with that mentality, however, many cybersecurity strategies prove to be shortsighted and create issues/obstacles as a result.
They say an ounce of prevention is worth a pound of cure, and that could not be truer for cybersecurity. Use the following step-by-step guide to implement comprehensive cybersecurity, prevent a data breach, and minimize the consequences of attacks you can't avoid.
Assess the threats and risks
You won't know how to properly protect your business until you understand what kinds of threats and risks it faces in terms of cybersecurity. Assessment is a two-step process. The first step is to look at the IT assets your business relies on and consider all the different ways those are open to attack. The second step is to consider the data and other electronic assets within your business and evaluate what value they would have to criminals.
The goal of this process is to estimate how vulnerable a business is to attack. Most businesses assume they are better protected than they really are or else too small of a target to get attacked. As a result, they take a lax approach to cybersecurity. Step one is about making and honest an accurate evaluation of strengths/weaknesses, then using that evaluation to make measurable improvements to cybersecurity.
Focus your efforts
The frustrating fact is that the average network is full of vulnerabilities and weak points, and motivated hackers have a number of attack strategies to choose from. It is unfeasible for most businesses to try to protect every asset against every threat. However, it is both possible and essential to protect against the most common and consequential types of attacks. Typically, a cybersecurity strategy is focused on five areas:
- Firewalls and internet gateways
- Secure configurations
- Access controls
- Malware protections
- Patch management and software updates
When companies have limited cybersecurity resources to work with, it's important to apply them strategically. By dedicating time, investment, and attention to the five areas outline above, companies deflect the vast majority of hackers and attacks. It may not provide perfect levels of protection, but it does ensure that the most preventable problems do not become roadblocks or stumbling points.
Secure data on site and in transit
The riskiest aspects of cybersecurity are often the most overlooked. For instance, sensitive information is vulnerable in both digital and physical form. If a bad actor gained access to your office they could cause a lot of damage simply by stealing printouts. And with a flash drive and few minutes of privacy they could steal huge deposits of data. Securing physical equipment/data is just as important as securing networks.
Mobile devices are another unavoidable issue. Employees often use personal laptops, phones, and tablets to conduct work. And they are often working in cafes, airports, cabs or other places where it's easy to lose a device. Since these devices typically have poor access controls and limited cybersecurity, important information on a lost phone could very easily fall into the wrong hands. Putting policies and protections in place that cover mobile devices and off-site employees closes a major cybersecurity gap.
Secure data in the cloud
Any business that relies on cloud storage or service offerings must be conscious of how those cloud platforms are secured. The cloud provides appealing levels of accessibility, economy, and flexibility. However, it also puts data at risk when it's in transit and raises important concerns about how well the cloud is protected. Security concerns are not great enough to give up on the cloud, but businesses must evaluate platforms and providers carefully before trusting them to safeguard sensitive data.
The stability of the platform is another concern. Sometimes the worst IT issues are accidental rather than intentional. Due to user error or oversight data/applications may go offline, slow down, or otherwise malfunction. And when they do, it's either difficult or impossible to conduct business as usual. If businesses are going to entrust mission-critical assets to a cloud platform, they must feel confident that platform is administered effectively.
Invest in data backup
It's never a wise strategy to assume that you can identify, prevent, or deflect every single threat. The better approach is to acknowledge that problems are inevitable and work actively to minimize the consequences. Data backup is essential. When data is lost, corrupted, or destroyed it is gone for good. Companies may be able to resolve or overcome other consequences of a cyber attack, but there is no way to get back the information and value contained in lost data.
Comprehensive data backup ensures that no matter how badly a network is affected, data is protected. Plus, data backup helps businesses foil things like ransomware attacks. Rather than paying hackers to restore access to data, businesses simply retrieve it from the backup. Ideally, backup is not necessary. But if and when it does become necessary it's invaluable. There is often a thin line between recovery and permanent failure. Data backup provides one more tool to help businesses get back up instead of fall further down.
Train your staff
It's a misconception that cyber attacks utilize technical trickery into order to infect a network. It's much more common for them to try and trick users in order to bypass access controls and cybersecurity measures. Users cause a shockingly high number of attacks, which is why they are also such a potent defense.
Educating staff about the importance of cybersecurity ensures everyone takes the issue seriously. Training staff how to spot, report, and avoid potential problems does a lot to reduce the effectiveness of attacks. Finally, monitoring and testing users allows companies to spot minor issues and problematic behaviors before they have serious consequences. Making a serious and ongoing effort to train staff turns a weakness into strength.
Make monitoring a priority
Cyberattacks often go on for weeks or even months without being noticed. And the time after they have infected a network but before they have been noticed is when they are extracting the most data and doing the most damage. This is an issue because companies often fail to monitor threats and defenses in an active way, and they many even lack the ability to monitor at all. As a result, problems are able to spread and become much harder to resolve.
Not every business can afford to keep full-time cybersecurity on staff, but every business must approach the issue in a systematic way. Checking for warning signs should be a regularly scheduled event, as should installing patches/updates and working though the rest of a cybersecurity checklist. It's understandable to miss a threat on the outside of the defensive permitter. It's unacceptable to overlook one on the inside.
Put a plan in place
The last several steps have focused on contingencies – the actions you take when cybersecurity somehow falls short. If the history of cybersecurity has one lesson to teach it's that no organization is immune to attack. Every effort must be made to prevent that, but the inevitability cannot be dismissed or diminished. Rather than scrambling to respond/recover, however, businesses should follow a plan that has been carefully organized in advance.
The plan should outline exactly how, when, and where specific staff need to act in the wake of a cyber attack. It should account for different types of attack, and it should include contingencies to cover the unexpected. The goal is to provide clarity and guidance during the confusion and chaos or a cyber attack. Ideally, a detailed and thoughtful plan minimizes the damage of the attack while maximizing the company's ability to resolve and recover.
Consider your contractors
Companies that work closely with third parties often have shared IT resources. That means cybersecurity issues at a vendor or supplier could compromise your own business. Even if the overlap between systems is minimal, an attack can leap between victims and reach the heart of a network through unexpected back channels.
This creates a situation where the chain is only as strong as the weakest link. When third parties take a lax approach to cybersecurity it puts everyone else at risk. Unfortunately, this risk is often overlooked and unknown. A part of any cybersecurity strategy must be considering how business relationships also create business risks. As a result, some companies elect to only work with third parties that can demonstrate or guarantee certain levels of security.
Invest in cyber insurance
A refrain throughout this piece is that companies can do a lot to improve cybersecurity, but it's basically impossible to guarantee cybersecurity. Organizations ranging from major global enterprises to government defense and security agencies have been victims. Thankfully, cyber insurance provides a last line of defense.
Coverage is designed to help companies recoup financial losses related to a cyber incident. Those could include legal costs, investments in new security, victim notification, regulatory fines, and extra marketing efforts. Cyber insurance cannot prevent an attack, and companies may still suffer as a result of a data breach. What cyber insurance does do, however, is ensure that companies can recover by giving them the financial means to do so. Considering that cybersecurity is only becoming more complex and more urgent, cyber insurance must be thought of as mandatory. Companies that forego it accept a lot of risk and uncertainty in return.